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TITLE OF THE INVENTION 
KEY SHARING METHOD, SECRET KEY GENERATING METHOD, 
COMMON KEY GENERATING METHOD AND CRYPTO GRAPHIC 
COMMUNICATION METHOD IN ID-NIKS CRYPTOSYSTEM 

5 

BACKGROUND OF THE INVENTION 
The present invention relates to a key sharing method for sharing 
a common key between both entities without a preliminary 
communication, a secret key generating method and device for generating 

10 a secret key of each entity in a center, a common key generating method 
and device for generating a common key necessary for an encrypting 
process and a decrypting process on each entity side, a cryptographic 
communication method and system for carrying out a communication by 
using a ciphertext such that people other than a concerned participant 

15 cannot know the contents of information, and a memory product/data 
signal embodied in carrier wave for recording/transmitting operation 
programs for these methods. 

In the modern society, called a highly information-oriented society, 
based on a computer network, important business documents and image 

20 information are transmitted and communicated in a form of electronic 
information. Such electronic information cab be easily copied, so that it 
tends to be difficult to discriminate its copy and original from each other, 
thus bringing about an important issue of data integrity. In particular, 
it is indispensable for establishment of a highly information oriented 

25 society to implement such a computer network that meets the factors of 
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"sharing of computer resources/' "multi- accessing/ 5 and "globalization/' 
which however includes various factors contradicting the problem of data 
integrity among the parties concerned. In an attempt to eliminate those 
contradictions, encrypting technologies which have been mainly used in 
5 the past military and diplomatic fields in the human history are 
attracting world attention as an effective method for that purpose. 

A cipher is defined as exchanging information in such a manner 
that no one other than the participants can understand the meaning of 
the information. In the field of ciphers, encryption is defined as 

10 converting an original text (plaintext) that can be understood by anyone 
into a text (ciphertext) that cannot be understood by the third party and 
decryption is defined as restoring a ciphertext into a plaintext, and 
cryptosystem is defined as the overall processes covering both encryption 
and decryption. The encrypting and decrypting processes use secret 

15 information called an encryption key and a decryption key, respectively. 
Since the secret decryption key is necessary in decryption, only those 
knowing this decryption key can decrypt ciphertexts, thus maintaining 
data security. 

The encryption key and the decryption key may be either the 
20 same or different from each other. A cryptosystem using the same key is 
called a common-key cryptosystem, and DES {Data Encryption 
Standards) employed by the Standard Agency of the USA Commerce 
Ministry is a typical example. As an example of the cryptosystem using 
the keys different from each other, a cryptosystem called a public-key 
25 cryptosystem has been proposed. In the public-key cryptosystem, each 
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user (entity) utilizing this cryptosystem generates a pair of encryption 
and decryption keys and publicizes the encryption key in a public key list, 
thereby keeping only the decryption key in secret. In this public-key 
cryptosystem, the paired encryption and decryption keys axe different 
5 from each other, so that the public-key cryptosystem has a feature that 
the decryption key cannot be known from the encryption key with a 
one-way function. 

The public-key cryptosystem is a breakthrough in cryptosystem 
which publicizes the encryption key and meets the above-mentioned three 

10 factors required for establishing highly information-oriented society so 
that it has been studied actively for its application in the field of 
information communication technologies, thus leading RSA cryptosystem 
being proposed as a typical public-key cryptosystem. This RSA 
cryptosystem has been implemented by utilizing the difficulty of 

15 factorization into prime factors as the one-way function. Also, a variety 
of other public-key cryptosystems have been proposed that utilize the 
difficulty of solving discrete logarithm problems. 

Besides, a cryptosystem has been proposed that utilizes ID 
(identity) information identifying individuals, such as post address, name 

20 and electronic mail address of each entity. This cryptosystem generates 
an encryption/decryption key common to a sender and a receiver based on 
ID information. Besides, the following ID -information based 
cryptosystems are provided- (l) a technique which needs a preliminary 
communication between the sender and the receiver prior to a ciphertext 

25 communication and (2) a technique which does not need a preliminary 
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communication between the sender and the receiver prior to a ciphertext 
communication. The technique (2), in particular, does not need a 
preliminary communication, so that its entities are very convenient in use, 
thus considered as a nucleus for the future cryptosystems. 
5 A cryptosystem according to this technique (2) is called ID -NIKS 

(ID-based non-interactive key sharing scheme), whereby sharing an 
encryption key without a preliminary communication is enabled by 
employing ID information of a communication partner. The ID -NIKS 
needs not exchange a public key or a secret key between a sender and a 

10 receiver nor receive a key list or services from third parties, thus securing 
safe communications between any given entities. 

FIG. 1 shows principles for this ID-NIKS system. This system 
assumes the presence of a reliable center, around which a common-key 
generation system is configured. In FIG. 1, the information specific to 

15 an entity X, i.e. its ID information of a name, a post address, a telephone 
number, an e-mail address, etc. is represented by httDx) using a hash 
function h( • ). For an any given entity X, the center calculates secret 
information Sxi as follows on the basis of center public information {PCi}, 
center secret information {SCi} and ID information h (IDx) of the entity X, 

20 and sends it to the entity X secretly* 
Sxi = Fi «SCi}, {PCi}, hdDx)) 

The entity X generates, for communications between itself and 
another arbitrary entity Y, a common key Kxy for encryption and 
decryption with its own secret {Sxi}, center public information {PCi} and 
25 entity Ts ID information h&Dy) of the partner entity Y as follows^ 
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Kxy = f«&J,{PCi>, h(ID Y )) 

The entity Y also generates a common key Kyx for the entity X 
similarly. If a relationship of Kxy = Kyx holds true always, these keys Kxy 
and Kyx can be used as the encryption and decryption keys between the 
5 entities X and Y 

In the above-mentioned public-key cryptosystem, for example, an 
RSA cryptosystem, its public key measures 10'fold and more as long as 
the presently used telephone number, thus being very troublesome. To 
guard against this, in the ID - NIKS, each ID information can be 
10 registered in a form of name list to thereby be referenced in generating a 
common key used between any given entities. Therefore, by safely 
implementing such an IK - NIKS system as shown in FIG. 1, a convenient 
cryptosystem can be installed over a computer network to which a lot of 
entities are subscribed. For these reasons, the ID — NIKS is expected to 
15 constitute a core of the future cryptosystem. 

In an ID - NIKS sharing a common key to act as an encryption 
key and a decryption key each other without performing a preliminary 
communication using the ID information of a communication partner, 
particularly it is desirable that sufficient safety should be maintained 
20 against a collusion attack in which a plurality of entities collude. Whether 
a cryptological safe ID — NIKS can be constructed or not is an important 
problem for an advanced computerization society and an ideal crypto 
scheme has been researched. 

BRIEF SUMMARY OF THE INVENTION 
25 It is an object of the present invention to provide a key sharing 



method for easily sharing a common key between both entities without a 
preliminary communication by mapping at a point on an algebraic curve 
such as an elliptic curve utilized for elliptic cipher based on identity 
information (ID information) of each entity, a secret key generating 
5 method and device, a common key generating method and device, a 
cryptographic communication method and system for constructing a 
safety ID - NIKS based on the key sharing method, and a memory 
product/data signal embodied in carrier wave for recording/transmitting 
operation programs for these methods. 
10 In the present invention, mapping is carried out at a point on an 

algebraic curve such as an elliptic curve or a hyperelliptic curve which is 
utilized for elliptic cipher based on the identity information (ID 
information) of each entity and the mapping value is set to be a public 
key of each entity. The algebraic curve and a mapping algorithm are 
15 open to the public. In a center, mapping is carried out at a point on the 
algebraic curve based on the identity information (ID information) of each 
entity, and a secret key of the entity is generated by using the mapping 
value and secret information of the center itself and is sent to the 
corresponding entity in secret. Each entity generates a common key to 
20 be used for an encrypting process and a decrypting process by utilizing 
the self-secret key sent from the center and the mapping value obtained 
by mapping at a point on the algebraic curve based on the identity 
information (ID information) of a communication partner. In this case, 
the same common key is shared between both entities without performing 
25 a preliminary communication by utilizing paring (Weil pairing, Tate 
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pairing or the like) defined on the algebraic curve. The mapping at a 
point on the algebraic curve in the present invention can be carried out 
for each entity and the center. 

In the present invention, safety is based on a discrete logarithm 
5 problem on the algebraic curve (for example, a discrete logarithm problem 
on an elliptic curve which will be hereinafter referred to as an elliptic 
discrete logarithm problem). A cryptosystem according to the present 
invention is broken due to a collusion attack of a plurality of entities 
equivalently to the solution of the elliptic discrete logarithm problem or 
10 with more difficulty, for example. Thus, very high safety can be 
obtained. 

The above and further objects and features of the invention will 
more fully be apparent from the following detailed description with 
accompanying drawings. 

15 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS 
FIG. 1 is a diagram showing the structure of a principle of an ID — 
NIKS system, 

FIG. 2 is a diagram typically showing the structure of a 
20 cryptographic communication system according to the present invention, 

FIG. 3 is a diagram typically showing the communication state of 
information between two entities, and 

FIG. 4 is a diagram showing the structure of a memory product 
according to an embodiment. 
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DETAILED DESCRIPTION OF THE INVENTION 
Embodiments of the present invention- will be described 
specifically, 

FIG. 2 is a diagram typically showing the structure of a 
5 cryptographic communication system according to the present invention. 
A center 1 which can reliably conceal information is set. For example, a 
social public organization can correspond to the center 1. The center 1 
and a plurality of entities A, B, ... Z to be users utilizing the 
cryptographic communication system are connected through secret 

10 communication passages 2a, 2b, 2z, and secret key information (secret 
keys S a , Sb, St) are sent from the center 1 to the entities A, B, Z 
through the secret communication passages 2a, 2b, 2z. Moreover, 
communication passages 3ab, 3az, 3bz, . . . are provided between two 
entities, and a ciphertext obtained by encrypting communication 

15 information is transmitted between the entities through the 
communication passages 3ab ? 3az ? 3bz ? .... 

Next, description will be given to a basic system according to the 
present invention in which an elliptic curve is used as an algebraic curve. 
First of all, the basic property of Weil pairing of the elliptic curve 

20 used in the present invention will be described. The Weil pairing implies 
mapping on a multiplicative group of a finite field Fa (d = q k ) from a group 
E / F q formed by points on the elliptic curve. In the Weil pairing, a 
bilinear property and a commutative law are established in the following 
maimer. < , > represents the Weil pairing, and P, Pi, P2, Q, Qi and 

25 Q2 represent points on the elliptic curve. 
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(Bilinear Property) 

<Pi + Q>=<Pi ? QXP* Q> 
<P, Qi + Q 2 >=<P, QiXP, Q2> 
(Commutative Law) 
5 <P, Q> = <Q,P>"i 

There is a bilinear property. Accordingly if m is an integer, the following 
equality is established. 

<mP, Q>=<P, Q> m 
<P, mQ>=<P, Q> m 
10 A key sharing method based on the Weil pairing will be described 

below 

(Secret Key Generation in Center l) 

Identity information (ID information) of an optional entity A, for 
example, a name, a post address, a telephone number, an e- mail address 

15 and the like is set to be ID a . The center 1 opens, to the public, the 

algorithm < , > of the Weil pairing and a function £( ) for converting 
(mapping) the ID information ID a of the optional entity A into a point P a e 
E/F^ on the elliptic curve to obtain a public key Moreover, the center 1 
generates a secret random number r. By using the random number r 

20 and the public key P a of the entity A, a secret key S a of the entity A is 

obtained in the following equation (l). The secret key S a thus obtained is 
distributed to the entity A in secret. 
Sa^rPa ... (D 

The above-mentioned secret information and public information 
25 can be collected as follows. 
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Public information of center 1 * < , > f( ) 
Secret information of center 1 : r (random integer) 
Public key of entity A : P a (= fCTDa)) 

Secret key of entity A : S a (= r * fGDa)) 

5 (Generation of common key in entity A, B) 

Each entity generates a common key by utilizing the Weil pairing 
on the elliptic curve based on a self- secret key distributed from the center 
1 and a public key of the entity to be a communication partner. 
(First Example) 

10 An algorithm for comparing in size the ID information ID a of the 

entity A with the ID information IDb of the entity B is set and the order of 
the pairing is properly set by using information about the comparison in 
size when the pairing is to be calculated. As the algorithm, the 
comparison in size by a lexicographic expression or binary can be used. 

15 As a method for setting the order of the pairing, it is also possible to use 
information about the comparison in size of the public keys P a and Pb 
which are obtained after converting (mapping) the ID information ID a 
and IDb. 

For example, if ID a > IDb is set, the entity A generates a common 
20 key Kab in accordance with the following equation (2) by using the 

self- secret key S a and the public key Pb in which the ID information IDb of 
the entity B is mapped onto the elliptic curve. 

Kab= <Sa,Pb> 

= <rPa,Pb> 

25 = <P a ,Pb> r ... (2) 
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On the other hand, if ID a > IDb is set, the entity B generates a 
common key Kba in accordance with the following equation (3) by using 
the public key P a in which the ID information ID a of the entity A is 
mapped onto the elliptic curve and the self-secret key 8b- 

5 Eba= <Pa, Sb> 

= <P a ,rPb> 

= <Pa> Pb> r *~ (3) 

Accordingly, the common key Kab generated by the entity A is 
coincident with the common key Kba generated by the entity B so that the 
10 common key can be shared between both entities A and B. 

Next, description will be given to two examples in which the key 
can be shared without setting the comparison in size of the ID 
information described above. 
(Second Example) 

15 A symmetrical function g(x, y) related to x and y (excluding g(x, y) 

= xy) is set. In the following example, g(x, y) = x + y is set. The entity A 
generates a common key of Kab = k a b + kba as in the following equation (4) 
in accordance with g (x ? y) = x + y, 

Kab = kab + kba 
20 = <S a , Pb> + <Pb, Sa> 

- <rP a ,Pb> + <Pb,rP a > 

= <P a >Pb> r + <Pb,Pa>* (4) 

On the other hand, the entity B generates a common key of Kba = 
kba + kab as in the following equation (5) in accordance with g (x, y) = x + 
25 y 
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Kba - kba + kab 

= <Sb,Pa> + <Pa ? Sb> 

= <rPb, Pa> + <Pa,rP b > 

= <Ph f Pa> r + <Pa,Pb> r ... (5) 

5 Accordingly, the common key Kab generated by the entity A is 

coincident with the common key Kba generated by the entity B so that the 
common key can be shared between both entities A and B. Even if other 
kinds of symmetrical functions g(x, y) are utilized, the key can be shared 
in the same manner. 
10 (Third Example) 

The entity A generates a common key of Kab = kab + kab"" 1 as in the 
following equation (6) by using the k a b shown in the second example. 

Kab = kab + kab" 1 

= <Sa,Pb> + <Sa,Pb>' 1 

15 = <rPa 3 Pb> + <rP a ,Pb>" 1 

= -<Pa,Pb>*+ <Pa>Pb>' r ... (6) 

The entity B generates a common key of Kba = kba + kba -1 as in the 
following equation (7) by using the kba shown in the second example. 

Kba = kba + kba 1 
20 = <Sb, Pa> + <Sb, Pa> 1 

= <rP bl Pa> + <rPb, Pa>- X 

= <Pb, Pa> r + <Pb, Pa> r 

= <P aj Pb>' r + <Pa>Pb>' (7) 

Accordingly the common key Kab generated by the entity A is 
25 coincident with the common key Kba generated by the entity B so that the 
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common key can be shared between both entities A and B. 
(Fourth -Example) 

The entity A generates an intermediate key lab in accordance with 
the following manner by using the self- secret key S a and the public key Pb 
5 of the entity B. 

lab = <3 a ,Pb> 

= <rP a /Pb> 

= <Pa/Pb> r 

The entity B generates an intermediate key Ibain accordance with 
10 the following manner by using the self- secret key Sb and the public key P a 
of the entity A, 

= <S b ,Pa> 

= <rPb/P*> 

- <Pb*Pa> r 

15 According to the above-mentioned (Commutative Law) in Weil 

pairing, it is understood that a relation of lab X I ba . = 1 is satisfied. The 
key may be shared between both entities A and B by utilizing such a 
relation of inverse number. 

As described above, a common key for each entity can easily be 

20 generated by utilizing the Weil pairing. 

While the mapping point P a is directly obtained from the ID 
information ID a of the entity A in the above-mentioned example, the ID 
information ID a may be converted by utilizing a one-way function to 
obtain the mapping point P a from the converted value. In this case, if a 

25 hash function h( ) is used as an example of the one-way function, the 
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public key P a = fCh(IDa)) and the secret key S a = r * fGittDj) are set. 

In order for the entity to obtain the secret information r of the 
center 1 with difficulty the following two conditions are required, 
(condition 1) q is set to be 2 160 or more. 
5 (condition 2) There is an integer k which satisfies #E/F q I q k - 1 and > 
2 1024 . 

The (condition 1) is required for solving an elliptic discrete 
logarithm problem with difficulty. The (condition 2) is required for 
solving the discrete logarithm problem of a finite field Fd (d = q k ) with 
10 difficulty. 

Next, description will be given to an information communication 
between the entities in a cryptosystem utQizing the above-mentioned key 
sharing method. FIG. 3 is a diagram typically showing the 
communication state of information between two entities A and B. In 

15 the example of FIG. 3, the entity A encrypts a plaintext (message) M into 
a ciphertext C and transmits the same to the entity B ? and the entity B 
decrypts the ciphertext C to the original plaintext (message) M. 

The center 1 comprises a public key generator la for using a 
function ft ) to obtain public keys P# and Pb to be mapping positions in 

20 which the ID information ID a and IDb of the entities A and B are mapped 
on an elliptic curve, and a secret key generator lb for obtaining secret 
keys S a and Sb of the entities A and B by using the public keys P a and Pb 
and center inherent secret information r. The secret keys S a and Sb 
generated in accordance with the above-mentioned (l) are sent from the 

25 center 1 to the entities A and B. 
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The entity A side is provided with a public key generator 11 for 
inputting ID information IDb of the entity B to obtain the public key Pb to 
be a mapping position in which the ID information IDb is mapped on the 
elliptic curve, a common key generator 12 for generating a common key 
5 Kab to the entity B which is required for the entity A based on the secret 
key S a sent from the center 1 and the public key Pb from the public key 
generator 11, and an encryptor 13 for encrypting the plaintext (message) 
M into the ciphertext C by using the common key Kab and for outputting 
the ciphertext C to a communication passage 30. 

10 Moreover, the entity B side is provided with a public key 

generator 21 for inputting ID information ID a of the entity A to obtain the 
public key P a to be a mapping position in which the ID information ID a is 
mapped on the elliptic curve, a common key generator 22 for generating a 
common key Kba to the entity A which is required for the entity B based 

15 on the secret key Sb sent from the center 1 and the public key P a from the 
public key generator 21, and a decryptor 23 for decrypting the ciphertext 
C input from the communication passage 30 to the plaintext (message) M 
by using the common key Kba and for outputting the plaintext M. 
Next, operation will be described. In the case in which 

20 information is to be transmitted from the entity A to the entity B, the ID 
information IDb of the entity B is first input to the public key generator 
11 to obtain the public key Pb. Then, the public key Pb thus obtained is 
sent to the common key generator 12. Moreover, the secret key S a is 
input from the center 1 to the common key generator 12. Then, the 

25 common key Kab is obtained in accordance with the above-mentioned 
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equation (2), (4) or (6), and is sent to the encryptor 13. In the encryptor 
13, the plaintext (message) M is encrypted into the ciphertext C by using 
the common key Kab and the ciphertext C is transmitted through the 
communication passage 30. 
5 The ciphertext C transmitted through the communication passage 

30 is input to the decryptor 23 of the entity R The ID information ID a of 
the entity A is input to the public key generator 21 so that the public key 
P a is obtained. The public key P a thus obtained is sent to the common 
key generator 22. Moreover, the secret key 3b is input from the center 1 

10 to the common key generator 22. Then, the common key Kba is obtained 
in accordance with the above-mentioned equation (3), (5) or (7) and is sent 
to the decryptor 23. In the decryptor 23, the ciphertext C is decrypted to 
the plaintext (message) M by using the common key 

Next, safety according to the present invention will be described, 

15 The safety of the present invention is based on an elliptic discrete 

logarithm problem and an extended elliptic discrete logarithm problem 
equivalent thereto as will be described below. 

[Equivalence of Elliptic Discrete Logarithm Problem to Extended Elliptic 
Discrete Logarithm Problem] 

20 An ordinary elliptic discrete logarithm problem implies a problem 

in which r is obtained from P and Q when an optional point P on an 
elliptic curve E and an r-fold point Q = rP are given. As shown in the 
following equation (8), in the case in which an optional point Pi (l < i < 
n-l) and Q based on the point Pi are given to the elliptic curve, a problem 

25 for obtaining a certain set of n (l < i < n-l) is defined as the extended 
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elliptic discrete logarithm problem. There will be considered the 
equivalence of the elliptic discrete logarithm problem to the extended 
elliptic discrete logarithm problem. For simplicity of discussion, the 
elliptic curve is a prime number order p. 

5 

n-i 

P:.Q( = 2 HP; <U v |£n-l ) (8) 

1=1 

(Conclusion of Elliptic Discrete Logarithm Problem into Extended Elliptic 
Discrete Logarithm Problem) 

It is assumed that the elliptic discrete logarithm problem can be 
10 solved on the basis of a base point P. Referring to Pi (l < i < rr l) and*Q, 
coefficients can be obtained on the basis of the base point P on the elliptic 
curve as shown in the following equation (9) r respectively. 

provided 

n-i n-i 

2 r ; p.-r' , s r ; P ( . = r'P (9) 

• _«j 1 1 provided . _<j 1 1 

15 Coefficients x{ and r* are set to be elements of P p and the following 

indefinite equation (10) is solved. Thus, ri (l < i < n*l) can be obtained 
Consequently; the extended elliptic discrete logarithm problem can be 
solved. 
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10 



n-i 

r' = 2 r ( r'j 



(10) 



(Conclusion of Extended Elliptic Discrete Logarithm Problem into Elliptic 
Discrete Logarithm Problem) 

It is assumed that an optional extended elliptic discrete logarithm 
5 problem can be solved. Referring to Pi (l <; i ^ n) on the elliptic curve, an 
extended elliptic discrete logarithm problem indicated by the following 
equation (ll) is solved and is expressed in a matrix. Consequently, the 
following equation (12) can be obtained. 



j * ! 



( 1 £ ; ^ n ) 



( n ) 



/n.lPl r li2 P 2 •» r^n^Pn., -P n \ 

r 2.i p i r 2,2 P 2 '*' "Pn-1 r 2,nPn 

• * » • 

* < * • 

\ — f 1 r n>2 P 2 --■ r n ,n-fPn-i r n,nP n / 



°\ 

0 



0/ 

(12) 



When only coefficients are extracted from the matrix in the 
above-mentioned equation (12), the following equation (13) is obtained 
and modification can be carried out as indicated by the following equation 
(14). 
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As is apparent from the equation (14), the point Pi (l 3 i ss n-l) can 
be expressed in the constant multiple of P Q . In other words, x{ satisfying 
Pi = ri'Pn can be obtained by solving the extended elliptic discrete 
logarithm problem. 

Consequently, the elliptic discrete logarithm problem is equivalent 
to the extended elliptic discrete logarithm problem. 
[Safety related to Secret Information of Center] 

The secret information r of the center is obtained from the public 
key P c and the secret key S c of an entity C equivalently to the solution of 
the elliptic discrete logarithm problem with difficulty* 

< P a , Pb > is calculated from the public key P a of the entity A and 
the public key Pb of the entity B and r is obtained from the calculated 
<P a , Pb> and the common key Kab = <P* , Pb> r equivalently to the 
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solution of the discrete logarithm problem with difficulty. 

Accordingly, any entity cannot obtain the secret information r of 
the center. 

[Safety related to Secret Key of Entity] 
5 An attack in which n entities colluding each other counterfeit the 

secret key S c of the entity C will be considered. If it is assumed that the 
public key P G of the entity C can be expressed by linear combination of the 
public keys of other entities as in the following equation (15), the 
following equation (16) is established if the linear combination is 
10 substituted for the equation (l). Therefore, the secret key S c of the 
entity C is exposed. 

Pc = UlPl + U2P2 + ... + UnPn ... (15) 

Sc ~ rPc 

= r(uiPl + U2P2 + ... + UnPn) 

15 = ui(rPi)+ u 2 (rP2)+ . . . + u n (rPn) 

= UlSl + U2S2 + ... + UnSn ... (16) 

However, it is necessary to solve the extended elliptic discrete 
logarithm problem to obtain the coefficient Ui in the equation (15). 
Accordingly, such an attack is hard to perform. Consequently, the safety 
20 is based on the difficulty of the solution of the extended elliptic discrete 
logarithm problem. 

The safety of the secret key will be described in more detail. The 
extended elliptic discrete logarithm problem implies a problem for solving 
the coefficients ui and U2 in the following equation (17) when P is an 
25 optional point on E/F q and (Gi, G2) is a generator of E/F q . 
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P = uiGi + u 2 G 2 ... (17) 

The degrees of Gi and G2 are defined as #(Gi) and#(G2). #(Gi) I 
#(Ga) is set. If the extended elliptic discrete logarithm problem can be 
solved, the coefficients m and U2 in P = uiGi + U2G2 and the coefficients vi 
and V2 in Q = V1G1 + V2G2 are obtained. Consequently, the elliptic 
discrete logarithm problem Q = rP can be solved in the following equation 
(18). 



ru 2 = V 2 ( mo,dt(G 2 )) 
f = -77- mod 



r=7r mod t; %/ r u •-•(18) 

U 2 \ gcd( u 2 , # (G 2 )) / 

10 Equivalency of the problem for solving the equation (15) to the 

extended elliptic discrete logarithm problem will be considered. If the 
equation (15) can be solved, ry in the following equation (19) can be 
obtained. 

Mir. , P ; (lg i^n-2) •■• (19) 

J =1 

15 
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On the assumption that a determinant of (n-2) x (n-2) on the left 
side is a prime of #(G2> of P a -i = Gi and Pn = G2 in the following equation 
(20), the following equation (20) can be solved. If the determinant is not 
a prime of #(G2), another solution ruin the equation (19) can be selected. 
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As a result, if the equation (15) can be solved, the extended elliptic 
discrete logarithm problem of Pi shown in the following equation (21) and 
(Gi, G2) can also be solved. 
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(21 ) 



To the contrary, if the extended elliptic discrete logarithm problem 
can be solved, it is indicated that the equation (15) can be solved. If the 
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extended elliptic discrete logarithm problem of Pi and (Gi, G2) is defined 
as the following equation (22) and the extended elliptic discrete logarithm 
problem of P c and (Gi, G2) is defined as the following equation (23), a 
relationship in the following equation (24) is established. 
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; =1 



(24) 



If vj and rij are given, it is apparent that ui can be solved. 
Accordingly, the problem for solving the above equation (15) is equivalent 
to the extended elliptic discrete logarithm problem. Moreover, if a group 
of elliptic curves is periodic, it is apparent that the extended elliptic 
discrete logarithm problem is equivalent to the elliptic discrete logarithm 
problem. In this case, accordingly, the problem for solving the above 
equation (15) is equivalent to the elliptic discrete logarithm problem. 
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[Safety related to Common Key between Entities] 

An attack in which n entities colluding each other counterfeit the 
common key between the entities A and C will be considered. If it is 
assumed that the public key P c of the entity C can be expressed by linear 
combination of the public keys of other entities as in the above equation 
(15), common keys Kac and Kca between both entities A and C are exposed 
as in the following equations (25) and (26), and so is the case in which the 
secret key S c of the entity C can be expressed by the linear combination. 

K a c = (Sq. P c ) 

= (S a . Ui Pi +u 2 P2 + *" + u nPn ) 

= (S a . Pi ) Ul (S a . P 2 > U2 — <Sa. Pn) Un 
= K a U ]K a V-K a Un n ... (25) 

However, it is necessary to solve the extended elliptic discrete 
logarithm problem to obtain the coefficient Ui in the above equation (15). 
Accordingly, such an attack is hard to perform. 

The entity A cannot counterfeit a common key Ebc between other 
entities from the self-public key P a and self-secret key S a if any. The 
reason is that the secret keys Sb and S c are secret information about the 
entities B and C which cannot be obtained if there is no secret 
information r. Accordingly any entity cannot counterfeit the common 
key Kbc- 



25 

A collusion attack for obtaining the common key Kbc from the 
secret key Si of a collusive entity I without the secret keys Sb and S c has 
the same problem as that in the case in which the secret keys Sb and S c 
are obtained from the secret key Si. Moreover, the collusion attack for 
5 obtaining the common key Kbc from the common key K% between the 
collusive entities I and J is a difficult problem because the secret 
information r of the center is not known. The problem for obtaining the 
common key Kbc results in a Diffe-Hellman type problem. 

The entity A can calculate the common keys Kab and Kac. 
10 Therefore, if the common key Kb c can be obtained from the common keys 
Kab and Ka C) the entity A can counterfeit a common key between other 
entities. However, it is hard to apply such an attack method to the 
present invention. 

Next, description will be given to a key sharing method for 
15 extending ID information of each entity to a vector according to another 
embodiment of the present invention. 

A vector P a to be the ID information of an entity A is represented 
by the following equation (27). 

VeCtOr Pa = (Pal, Pa2, Pan) ... (27) 

20 Moreover, a symmetrical matrix R of n x n is set as the secret information 
of a center 1 in the following equation (28). 
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In the center 1, the vector P a and the symmetrical matrix E are 
used to obtain a secret key (vector Sj of the entity A in accordance with 
the following equation (29), and the secret key thus obtained is sent to the 
entity A in secret. 



S » — P » R 



(29) 



10 



The entity A generates a common key Kab to an entity B in 
accordance with the following equation (30). A product of points is set to 
be a value of Weil pairing. 
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( 30) 



Moreover, the entity B generates a common key Kba to the entity A 
in the same manner In the case in which the comparative relationship 
in size between the ID information of the entities A and B is taken into 
consideration as in the first example according to the above-mentioned 
embodiment Kab = Kba is set so that the same common key can be shared. 

Next, safety according to the present embodiment will be taken 
into consideration. 

[Safety related to Secret Information of Center] 
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A secret matrix R of the center is obtained from the public key- 
vector P c and the secret key vector S c of an entity G equivalently to the 
solution of the extended elliptic discrete logarithm problem with 
difficulty. 

5 < Pai , Pbj> (l ^ i j ^ rO is calculated from the public key vector P a 

of the entity A and the public key vector Pb of the entity B and each 
component (l < i, j < n) of the matrix E is obtained from the calculated 
< P^ , Ptj > and the common key Kab shown in the following equation (3 1) 
equivalently to the extended discrete logarithm problem and the discrete 
10 logarithm problem in the same manner as the equivalence of the 
extended elliptic discrete logarithm problem to the elliptic discrete 
logarithm problem. 

Kab = TT TT (P ai .Pbj) r!j ••• < 31 ] 

15 As described above, the secret information (symmetrical matrix E) 

of the center 1 is not exposed. 
[Safety related to Secret Key of Entity] 

An attack in which n entities colluding each other counterfeit the 
secret key vector S c of the entity C will be considered. If it is assumed 

20 that the public key vector P c of the entity C can be expressed by linear 

combination of the public key vectors of other entities as in the following 
equation (32), the following equation (33) is established if the linear 
combination is substituted for the above equation (29). Therefore, the 
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secret key vector Sc of the entity C is exposed. 

u, p7+u 2 Pl+--- + u nPn •••(32) 

(u, K+"2Pl+--- + u nK)R 
u 1 (p7R) + U2(P2R) + --- + u n(KR) 
u,sT+u 2 'sI+--- + lJ nS^ •••(33) 

However, it is necessary to solve the extended elliptic discrete 
5 logarithmic problem to obtain components in the above equation (29), 
Therefore, such an attack is carried out with difficulty. Accordingly the 
safety is based on the difficulty to solve the extended elliptic discrete 
logarithm problem. 

[Safety related to Common Key between Entities] 

10 An attack in which n entities colluding each other counterfeit a 

common key between the entities A and C will be considered. If it is 
assumed that the public key vector P c of the entity C can be expressed by 
linear combination of the public key vectors of other entities as in the 
following equation (32), common keys Kac and K> a between both entities A 

15 and C are exposed as in the following equations (34) and (35), and so is 
the case in which the secret key vector S c of the entity C can be expressed 
by the linear combination. 
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= K a u ]K a i-*aS •••(34) 

Kc a = ^a ^ 2a * " * ^na (35) 

However, the extended elliptic discrete logarithm problem is 
solved to obtain the coefficient ui in the above equation (32). Therefore, 
5 such an attack is hard to perform. 

Also in the present embodiment, moreover, it is hard to generate a 
common key between other entities from a self-common key by a certain 
entity in the same manner as that in the above-mentioned embodiment. 

It is also possible to extend the ID information of the entity to a 
10 symmetrical matrix of n x n. In this case, the relationship in the 

following equation (36) is satisfied by a common key matrix k a b = (sij) and 
a common key matrix kba ~ (t 3 i) . 

Sij^tji' 1 — (36) 

While the case in which the Weil pairing is used has been 
15 described in the above example, the key sharing can be carried out 

between both entities also in the case in which Tate pairing is utilized as 
pairing on the elliptic curve. 

Moreover, in any of the Weil pairing and the Tate pairing, the 
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calculation of the pairing can be extended such that coordinates on points 
P and Q belong to different fields in pairing < P , Q > when the key 
sharing is to be carried out. Moreover, if the coordinates on the point P 
are defined by a small field, the calculation of the pairing can be carried 
5 out at a high speed. 

A change in a definition field of the elliptic curve is advantageous 
in that the common key cannot reliably be 1 and the calculation can be 
carried out at a high speed. In the case in which the definition field of the 
elliptic curve is to be changed, that is, two kinds of definition fields are 

10 used, two ways of corresponding to the public key are required. In the 
conventional ID - NIKS, the entity carries out the key sharing by using 
one public key determined by ID information and a self- secret key. In 
this method, the public key is mapped at a point on the same elliptic 
curve having different definition fields based on the ID information by 

15 two different methods, according to ID information or a public key one of 
the entities uses the public key utilizing one of the definition fields and 
the other entity uses the public key utilizing the other definition field. 
Thus, the key sharing is carried out. 

All the entities are divided into two groups Gi and G2. The entity 

20 belonging to the group Gi uses elements of a group including P as the ID 
information and the entity belonging to the group G2 uses elements of a 
group including Q as the ID information. Consequently the entity of the 
group Gi and that of the group G2 can share a key. 

Each entity has two kinds of ID information, and an algorithm 

25 indicative of some relationship in size is set to each ID information of the 



32 

entity A and the entity B and any ID information to be used by one of the 
entities A and B is determined. Consequently the key can be shared. 

Each entity has two kinds of ED information, and two kinds of 
values are calculated between both entities and two calculated values 
5 thus obtained are added to each other. Thus, an operation to obtain the 
same value is used to generate a common key 

By properly determining conversion between the elements of the 
group including P and those of the group including Q and using the 
conversion as system inherent public information, the key can be shared. 

10 While the case in which the elliptic curve is used as the algebraic 

curve has been described in the above example, the hyperelliptic discrete 
logarithm problem and the pairing can be defined even if the hyperelliptic 
curve is used. Therefore, extension can easily be carried out. 

FIG. 4 is a diagram showing the structure of a memory product 

15 according to an embodiment of the present invention. An illustrated 

program includes a processing of generating a secret key of each entity by 
the above-mentioned method based on the ID information of each entity 
and the center inherent secret information (a step of mapping at a point 
on an elliptic curve based on the ID information of the entity to obtain a 

20 mapping value and a step of generating the secret key by using the 
mapping value and the center inherent secret information) or a 
processing of generating a common key by the above-mentioned method 
based on the secret key of the entity itself and the public key of the entity 
to be a communication party (a step of mapping at a point on an elliptic 

25 curve based on the ID information of the entity to be a commurrication 



33 

party, thereby obtaining a mapping value and a step of generating the 
common key by using the mapping value and the secret key of the entity 
itself), which is recorded in the memory product to be described below, A 
computer 40 is provided on the center 1 side or each entity side. 
5 In FIG. 4, a memory product 41 which is on-line connected to the 

computer 40 is formed by using a WWW (World Wide Web) server 
computer provided apart from a place where the computer 40 is installed, 
for example. The memory product 41 records a program 41a described 
above. The program 41a read from the memory product 41 through a 

10 transmission medium 44 such as a communication line controls the 

computer 40, thereby generating a secret key of each entity or generating 
a common key between both entities. 

A memory product 42 provided in the computer 40 is formed by 
using a hard disk drive, an EOM or the like provided therein, for example, 

15 and records a program 42a described above. The program 42a read from 
the memory product 42 controls the computer 40, thereby generating a 
secret key of each entity or generating a common key between both 
entities. 

A memory product 43 to be attached to a disk drive 40a provided 
20 in the computer 40 is formed by using an optical magnetic disk, a CD - 
ROM, a flexible disk or the like which can be carried, for example, and 
records a program 43a described above. The program 43a read from the 
memory product 43 controls the computer 40, thereby generating a secret 
key of each entity or generating a common key between both entities. 
25 As described above in detail, in the present invention, the public 
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key generated from the ID information of each entity is mapped on the 
algebraic curve such as an elliptic curve. Therefore, it is possible to 
easily share the common key between both entities without carrying out a 
preHminary communication. In the present invention, moreover, the 
5 safety is based on the discrete logarithm problem on the algebraic curve, 
and the present invention has a resistance to an attack such as a 
collusion attack and can contribute to the development of the ID - NIKS. 

As this invention may be embodied in several forms without 
departing from the spirit of essential characteristics thereof, the present 
10 embodiment is therefore illustrative and not restrictive, since the scope of 
the invention is defined by the appended claims rather than by the 
description preceding them, and all changes that fall within metes and 
bounds of the claims, or equivalence of such metes and bounds thereof are 
therefore intended to be embraced by the claims. 

15 
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WHAT IS CLAIMED IS- 

1. A cryptographic communication method for communicating 
information through a ciphertext between entities, comprising the steps 
of 

5 generating a secret key of each entity by using mapping at a point 

on an algebraic curve based on identity information of each entity and 
secret information; 

generating at a first entity a first common key by using the secret 
key of the first entity and a public key obtained by mapping at a point on 
10 the algebraic curve based on identity information of a second entity; 

encrypting at the first entity a plaintext into a ciphertext by using 
the generated first common key and transmitting the ciphertext to the 
second entity; 

generating at the second entity the same second common key as 
15 the first common key by using the secret key of the second entity and a 
public key obtained by mapping at a point on the algebraic curve based on 
identity information of the first entity; and 

decrypting at the second entity the transmitted ciphertext into a 
plaintext by using the generated second common key. 
20 2. A method for generating a common key between a first entity and 
a second entity, comprising the steps of 

generating a secret key of the first entity by using mapping at a 
point on an algebraic curve based on identity information of the first 
entity and secret information; 
25 generating a public key of the second entity by using mapping at a 
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point on the algebraic curve based on identity information of the second 
entity; and 

generating a common key between both entities by using the 
seeret key and public key thus generated. 
5 3. The common key generating method according to claim 2, wherein 
the common key is generated by using pairing defined on the algebraic 
curve. 

4. A method for sharing a key without a preliminary communication 
between entities, comprising the steps of 

10 obtaining a secret key of a first entity; 

obtaining a public key of a second entity the public key being 
obtained by mapping at a point on an algebraic curve based on identity 
information of the second entity; and 

generating a common key between the first entity and the second 
15 entity by using the secret key and the public key. 

5. The key sharing method according to claim 4, wherein the 
algebraic curve is an algebraic curve in which a discrete logarithm 
problem defined thereon cannot be solved in a polynomial time. 

6. The key sharing method according to claim 4 } wherein numeric 
20 values which are inverse to each other are generated in a process of an 

operation in respective entities when sharing the key between the first 
entity and the second entity. 

7. The key sharing method according to claim 4, wherein a plurality 
of public keys are generated based on the identity information of each 

25 entity 
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8. A method for sharing a key without a preliminary communication 
between both entities based on respective identity information of the 
entities, wherein pairing defined on an algebraic curve is used. 

9. The key sharing method according to claim 8, wherein the pairing 
5 is Weil pairing or Tate pairing. 

10. A method for sharing a key without a preliminary communication 
between a first entity and a second entity based on respective identity 
information of the entities, wherein pairing defined on an algebraic curve 
is used to share a key by utilizing a secret key generated by using 

10 mapping at a point on the algebraic curve based on the identity 

information of the first entity and secret information and a public key 
obtained by mapping at a point on the algebraic curve based on the 
identity information of the second entity 

11. A method for generating a common key based on the key sharing 
15 method according to claim 6, wherein the common key is generated by 

utilizing a relationship of inverse between the numeric values. 

12. A method for generating a secret key of an entity based on 
identity information of the entity, wherein the secret key is generated by 
using mapping at a point on an algebraic curve based on the identity 

20 information of the entity and secret information. 

13. A method for generating a secret key of an entity based on 
identity information of the entity, wherein the secret key is generated by 
using mapping at a point on an algebraic curve based on a value obtained 
by causing a one-way function to act on the identity information of the 

25 entity and secret information. 
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14. A secret key generating device for generating a secret key of an 
entity based on identity information of the entity comprising- 

a controller capable of performing the following operations; 

(i) obtaining a mapping value by mapping at a point on an 
5 algebraic curve based on the identity information of the entity; and 

(ii) generating the secret key by using the mapping value and 
secret information. 

15. A common key generating device for generating a common key 
from a secret key based on identity information of a first entity and a 

10 public key based on identity information of a second entity to be a 
communication partner, comprising: 

a controller capable of performing the following operations; 

(i) obtaining a mapping value as the public key by mapping at a 
point on an algebraic curve based on the identity information of the 

15 second entity; and 

(ii) generating a common key by using the mapping value and 
the secret key. 

16. A cryptographic communication system for permitting a plurality 
of entities to mutually perform an encrypting process for encrypting into 

20 a ciphertext information of a plaintext to be transmitted and a decrypting 
process for decrypting the transmitted ciphertext into a plaintext, 
comprising^ 

a center generating a secret key of each entity by using mapping 
at a point on an algebraic curve based on identity information of each 
25 entity and self-secret information and sending the secret key to each 
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entity; and 

a plurality of entities generating a common key to be used for the 
encrypting process and the decrypting process by using the self- secret key 
sent from said center and a public key obtained by mapping at a point on 
5 an algebraic curve based on identity information of an entity to be 
communicated. 

17. A computer memory product having computer readable program 
code means for causing a computer to generate a secret key of an entity 
said computer readable program code means comprising- 

10 program code means for causing the computer to obtain a 

mapping value as a public key by mapping at a point on an algebraic 
curve based on identity information of the entity; and 

program code means for causing the computer to generate the 
secret key by using the mapping value and secret information* 

15 18. A computer memory product having computer readable program 
code means for causing a computer to generate, on a first entity side, a 
common key to be used for an encrypting process from a plaintext to a 
ciphertext and a decrypting; process from the ciphertext to the plaintext, 
in an cryptographic communication system said computer readable 

20 program code means comprising- 

program code means for causing the computer to input a secret 
key of the first entity; 

program code means for causing the computer to obtain a 
mapping value as a public key by mapping at a point on an algebraic 

25 curve based on identity information of a second entity to be a 
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communication partner; and 

program code means for causing the computer to generate the 
common key by using the mapping value and the input secret key. 

19, A computer data signal embodied in a carrier wave for 

5 transmitting a program, the program being configured to cause a 
computer to generate a secret key of an entity comprising^ 

a code segment for causing the computer to obtain a mapping 
value as a public key by mapping at a point on an algebraic curve based 
on identity information of the entity; and 
10 a code segment for causing the computer to generate the secret 

key by using the mapping value and secret information. 

20. A computer data signal embodied in a carrier wave for 
transmitting a program, the program being configured to cause a 
computer to generate, on a first entity side r a common key to be used for 

15 an encrypting process from a plaintext to a ciphertext and a decrypting 
process from the ciphertext to the plaintext in an cryptographic 
communication system, comprising* 

a code segment for causing the computer to input a secret key of 
the first entity; 

20 a code segment for causing the computer to obtain a mapping 

value as a public key by mapping at a point on an algebraic curve based 
on identity information of a second entity to be a communication partner ; 
and 

a code segment for causing the computer to generate the common 
25 key by using the mapping value and the input secret key. 



41 

ABSTRACT OF THE DISCLOSURE 
Mapping is carried out at a point on an elliptic curve to be utilized 
for elliptic encryption based on identity information (ID information) of 
each entity and a mapping value is set to be a pubHc key of the entity. 
5 By using the mapping value and secret information, a secret key of each 
entity is generated. The entity generates a common key to be used for 
an encrypting process and a decrypting process by utilizing the self-secret 
key and the public key to be the mapping value obtained by mapping at a 
point on the elliptic curve based on ID information of a communication 
10 participate. In this case, pairing on the elliptic curve is utilized. 
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and POWER OF ATTORNEY 

^ ORIGINAL 

□ CONTINUATION 

□ DIVISIONAL 

As a below named inventor, 1 declare that the information given herein is true, that I believe that I am the onginal. first and sole inventor (tf only one name is listed as 1 belo* : 

the specification of which is attached hereto unless the following box is checked MEHKD IN ID-NIKS CKYPICSYbiM 

□ was filed on as United States Application Number or PCT Internationa! Application Number 

and was amended on 

My residence, post office address and citizenship are as stated below next to my name 

I acknowledge my duty to disclose information which is matenal to the patentability of this application m accordance with Title 37. Code of Federal Regulations § 1 56(a) 
1 hereby state that I have reviewed and understand the contents of the above identified specification, including the claims, as amended by any amendment referred to above 
! hereby claim foreign priority benefits under Title 35, United States Code, § 119 of any foreign applications) for patent or inventor's certificate listed below and have also 
identified below any foreign application for patent or inventor's certificate having a filing date before that of the application on which pnonty is claimed 
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DATE OF FILING 


PRIORITY CLAIMED UNDER 
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APPLICATION NUMBER 


Month Day Year 


35USC 119 


Japan 


2000-133471 


5/2/2000 


YES 



I hereby claim the benefit under Title 35, United States Code, §120 of any United States application(s) listed below and, insofar as the subject matter of each of the claims of 
this application is not disclosed in the pnor United States application in the manner provided by the first paragraph of Title 35, United States Code § 112. 1 acknowledge the 
duty to disclose information which is matenal to patentability as defined in Title 37, Code of Federal Regulations, § 1 56(a) which occurred between the fiimg date of the prior 
application and the national or PCT international filing date of this application 
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PG[WER OF ATTORNEY: As a named inventor, i hereby appoint the following attorney(s) and/or Agent(s) to prosecute this application and transact all business tn the Patent 
andkrademark Office connected therewith. 

STUART LUBITZ, Reg. No. 20,680; LOUIS A. MOK, Reg No. 22,565; JOHN P. SCHERLACHER, Reg. No. 23,009, WILLIAM H WRIGHT, Reg No 36.312, DAVID LUB1TZ, 
Re§jNo 38 229. WEI-NING YANG, Reg. No. 38.690, ALFRED A D'ANDREA, JR., Reg. No 27,752, WILLIAM J KUBIDA. Reg No. 29.664. STUART T LANGLEY, Reg 
No. 33.940; MICHAEL BYORICK, Reg. No. 34,131; CAROL W BURTON, Reg. No 35,465; STEVEN C PETERSON. Reg No 36,238, STEVEN K BARTON. Reg No 
36^*45; SARAH S O'ROURKE, Reg No. 41,226; E MATTHEW G. DYOR, Reg No 42,278, 

|eid correspondence to: Hogan & Hartson LLP. DIRECT TELEPHONE CALLS TO: 

I LI 500 South Grand Avenue, Suite 1 900 21 3-337-6700 

f - Los Angeles, California 90071 
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Name of Inventor 

Masao KASAHARA 


Residence CITY 

Mino-shi 


STATE or COUNTRY 

Osaka, Japan 


3 


Post Office Address 

15-3, Aogein 4-chome, Mino-shi, Osaka 562-0025, Japan 


CITIZENSHIP 

Japanese 




Name of Inventor 


Residence CITY 


STATE or COUNTRY 


4 


Post Office Address 


CITIZENSHIP 



I further declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 
18 of the United States Code, and that such willful false statements may jeopardize the validity of the application or any patent issuing thereon 
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